GO-2024-2867 Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please...

Grafana Spoofing originalUrl of snapshots

To create a snapshot and insert an arbitrary URL the built-in role Viewer is sufficient. When a dashboard is shared as a local snapshot, the following three fields are offered in the web UI for a user to fill out: • Snapshotname • Expire • Timeoutseconds After the user confirms creation of the...

The vulnerability of the Grafana monitoring and observation platform lies in the improper handling of input during the creation of a web page. This allows a hacker to inject the entered URL address into the system.

The vulnerability of the Grafana monitoring and observation platform lies in the creation of snapshots and the arbitrary selection of the “originalUrl” parameter, thereby modifying the query through web proxies. Exploiting this vulnerability allows a malicious actor to inject the entered URL...

BIT-GRAFANA-2020-11110

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

BIT-GRAFANA-2022-39324 Grafana vulnerable to spoofing originalUrl of snapshots

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...

SUSE CVE-2020-11110

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

FreeBSD : Grafana -- Spoofing originalUrl of snapshots (e6281d88-a7a7-11ed-8d6a-6c3be5272acd)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the e6281d88-a7a7-11ed-8d6a-6c3be5272acd advisory. - Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and...

UBUNTU-CVE-2022-39324

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...

Open redirect

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...

CVE-2022-39324 Grafana vulnerable to spoofing originalUrl of snapshots

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...

Grafana -- Spoofing originalUrl of snapshots

Grafana Labs reports: A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibili...

Mail.ru: CVE-2020-11110: Grafana Unauthenticated Stored XSS -████.bizml.ru

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. PoC - Send the following HTTP request http POST...

CVE-2020-11110

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

Input validation

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

CVE-2020-11110

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

PT-2020-12555 · Grafana +4 · Grafana +4

Name of the Vulnerable Software and Affected Versions: Grafana versions 6.7.1 and earlier Grafana before version 6.7.2 Description: The issue is related to stored XSS due to insufficient input protection in the originalUrl field. This allows an attacker to inject JavaScript code that will be...